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DETAILED ACTION 

1 . This office action is in response to the amendment filed 12/28/05. 

2. Claims 1-4, 34 were amended. 

3. Claims 5, 11, 16, 37 and 60 are canceled. 

4. Claims 1-4, 6-10, 12-15, 17-36, 38-59 and 61-68 are pending in this office action. 

Response to Arguments 

5. Applicant's arguments with respect to claims 1-4, 6-10, 12-15, 17-36, 38-59 and 
61-68 have been considered but are moot in view of the new ground(s) of rejection. 

6: The rejection of Claim 1 under 35 U.S.C., 112, second paragraph, is maintained. 

Claim Rejections - 35 USC §112 

7. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

8. Claims 1, 2, 6, 14, 27, 28, 39, 30, 32 rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the 
subject matter which applicant regards as the invention. 

9. Claims 1 , 2, 6, 14, 27, 28, 39, 30, 32 recite the limitation "preselected criterion". 
There is insufficient antecedent basis for this limitation in the claim. The examiner 
suggests simply changing, in claim 1 , "for the presence of at least one criterion" to "for 
the presence of at least one preselected criterion". 
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Claim Rejections - 35 USC § 103 

1 0. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

11. Claims 1-4, 6-8, 12, 13, 15, 17-21, 23, 27-33 and 65-67 are rejected under 35 
U.S.C. 103(a) as being unpatentable over "Implementing a Generalized Tool for 
Network Monitoring" by Ranum et al. (Ranum) in view of U.S. Patent 6,266,664 by 
Russell-Falla et al. (Russell-Falla) and U.S. Patent 6,453,345 by Trcka et al. (Trcka). 

12. With respect to Claim 1 , Ranum teaches in a computer network, a method for 
maintaining an acceptable use policy comprising: 

receiving input from a user selecting event types and patterns for use in 
monitoring network communications (Page 1 - Background and Motivation - points 2 
and 3; Page 2 - first paragraph under Decision Engine). 

monitoring TCP/IP network communications (Page 2 - first paragraph under 
Decision Engine); 

storing at least some of said TCP/IP network communications (Page 2 - Packet 
Suckers - packet capture is mainly referenced as using buffers for storing packets, only 
explicit example is a RAM buffer), even when the communication does not conform to a 
known protocol (Page 2 - Packet Suckers - packet suckers capture raw data packets of 
the network interface; note also Page 5, 2 nd paragraph under N-code Filtering, the NFR 
engine can handle any packets sent under TCP/IP); 
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testing the stored communications for the presence of at least one criterion 
(Pages 2-3: all of Decision Engine, Pages 5-6: all of N-code Filtering), wherein the 
criterion are defined by a user (Pages 2-3: all of Decision Engine, Pages 5-6: all of N- 
code Filtering - noting that the filters are defined by the user according to users wants 
and needs), and is associated with the event types and patterns (Page 1 - Background 
and Motivation - points 2 and 3; Page 2 - first paragraph under Decision Engine; Pages 
5-6: all of N-code Filtering; note also that criterion may include strings and patterns 
found within packets, such as email senders); 

deleting the communications if the presence of said at least one preselected 
criterion is not determined (Page 2: 2 nd paragraph under Decision Engine - packets are 
discarded after filtering); 

storing the communications if the presence of said at least one preselected 
criterion is determine (Page 2: 2 nd paragraph under Decision Engine - record 
mechanism logs data to backends. Backends are described on pages 3-4. examples 
of storing communications based on the presence of the criterion are given on pages 5- 
6 under N-code Filtering). 

Ranum does not explicitly disclose the at least some of said TCP/IP network 
communications being stored on a disk. Trcka teaches raw data packets can be 
captured and stored on a disk (Col. 7 lines 13-27). 

Ranum does not explicitly disclose that a user is a selecting a subject matter 
category for use in monitoring network communications such that the at least one 
criterion is associated with the user selected subject matter category and comprises one 



Application/Control Number: 09/759,089 Page 5 

Art Unit: 2155 

or more regular expressions. Russell-Falla teaches the use of subject matter categories 
for use in monitoring network communications (Col. 4 lines 45-60). Communications 
are tested for criterion associated with a selected subject matter category (Col. 4 line 61 
- Col. 5 line 35). The at least one criterion comprises one or more regular expressions 
(Col. 5 lines 3-35). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum and modify it as indicated 
by Trcka and Russell-Falla such that the method further comprises receiving input from 
a user selecting a subject matter category for use in monitoring network 
communications; storing at least some of said TCP/IP network communications on disk; 
and testing the stored communications for the presence of at least one criterion, 
wherein the criterion are defined by a user, is associated with the user selected subject 
matter category, and comprises one or more regular expressions. One would be 
motivated to incorporate the teachings of Trcka as there is need for providing adequate 
space for storing captured data packets (In Trcka: Col. 7 t lines 13-27; and In Ranum: 
Page 2 - Packet Suckers). One would be motivated to incorporate the teachings of 
Russell-Falla as there is need for monitoring specific subject matter categories (In 
Russell-Falla: Col. 2 lines 24-36; and In Ranum: see abstract which discusses 
suggested applications which related to monitoring particular types of events and 
applications). 
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1 3. With respect to Claim 2, Ranum and Trcka further teaches using any number of 
filters and that the number of filters is based on the user's needs (In Ranum: Page 2: 
Decision Engine; Page 6: Performance). 

Ranum and Trcka does not explicitly disclose wherein the preselected criterion 
comprises two or more subject matter categories. Russell-Falla teaches the use of 
subject matter categories for use in monitoring network communications (Col. 4 lines 
45-60). Specifically, the invention can be used to detect any specific type of selected 
content (Col. 4 lines 45-60 - several example subject matter categories are listed). 

It would have been obvious to one of ordinary skill in the art at-the time the 
invention was made to take the method disclosed by Ranum and Trcka and modify it as 
indicated by Russell-Falla such that the method further comprises wherein the 
preselected criterion comprises two or more subject matter categories. One would be 
motivated to have this, as there is need for detecting any specific type of selected 
content related to subject matter categories (In Russell-Falla: Col. 2 lines 24-36). 

14. With respect to Claim 3, Ranum further teaches wherein said subject matter 
categories comprise regular expressions (In Russell-Falla: Col. 5 lines 3-35). 

15. With respect to Claim 4, Ranum further teaches wherein said regular expressions 
are weighted based on input received from a user (In Russell-Falla: Col. 4 lines 4-13 
and Col. 6 lines 56-65 - particularly note that the training sets to determine the weights 
must be designated by human. In other words, a human (i.e., a user) must designate 
whether a training samples is in the particular category or not. The examiner considers 
this to be within the scope of the claim). 
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16. With respect to Claim 6, Ranum further teaches wherein the preselected criterion 
is weighted (In Russell-Falla: Col. 5 lines 16-35). 

17. With respect to Claim 7, Ranum further teaches wherein said regular expressions 
are weighted with either positive or negative values (In Russell-Falla: Col. 3 line 60 - 
Col. 4 line 3). 

18. With respect to Claim 8, Ranum and Trcka does not explicitly state wherein 
regular expressions within a subject matter category having a negative value are 
processed before regular expressions having a positive value. 

Russell-Falla teaches the processing of regular expressions with both negative 
and positive values for a given subject matter category (Col. 5 lines 16-35). Based on 
the algorithm (Col. 5 line 25), it is mathematically arbitrary as to whether negative 
values are processed before positive values. 

As such, It would have been obvious to one of ordinary skill in the art at the time 
the invention was made to take the method disclosed by Ranum and Trcka and modify 
it as indicated by Russell-Falla such that the method further comprises wherein regular 
expressions within a subject matter category having a negative value are processed 
before regular expressions having a positive value. One would be motivated to have 
this, as it is an arbitrary design choice since the overall sum determines the score (In 
Russell-Falla: Col. 5 lines 16-35). 

19. With respect to Claim 12, Ranum further teaches wherein the computer network 
is a wide area network (In Ranum: Page 2 - Overview of the NFR Architecture; Page 5 
N-code filtering; and Page 6 Performance - noting that the intended network is any 
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suitable network such as those running TCP/IP and Ethernet protocols, which would 
include wide area networks). 

20. With respect to Claim 13, Ranum further teaches wherein the computer network 
is a local area network (In Ranum: Page 2 - Overview of the NFR Architecture; Page 5 
N-code filtering; and Page 6 Performance - noting that the intended network is any 
suitable network such as those running TCP/IP and Ethernet protocols, which would 
include local area networks). 

21 . With respect to Claim 15, Ranum further teaches said subject matter categories 
comprise key words (Col. 3 lines 1-9 of Russell-Falla). 

22. With respect to Claim 17, Ranum further teaches assigning a threshold value to 
each subject matter category (Col. 5 lines 47-64 of Russell-Falla). 

23. With respect to Claim 18, Ranum further teaches at least some of said subject 
matter categories comprise one or more predetermined expressions (Col. 3 lines 36-51 
of Russell-Falla). 

24. With respect to Claim 19, Ranum further teaches assigning a value to said 
predetermined expressions (Col. 3 lines 59-66 of Russell-Falla). 

25. With respect to Claim 20, Ranum further teaches summing the values of said 
predetermined expressions (Col. 3 line 60 - Col. 4 line 3 of Russell-Falla). 

26. With respect to Claim 21 , Ranum further teaches said communication is further 
stored (In Ranum: Page 2: 2 nd paragraph under Decision Engine - record mechanism 
logs data to backends. Backends are described on pages 3-4. examples of storing 
communications based on the presence of the criterion are given on pages 5-6 under N- 



Application/Control Number: 09/759,089 Page 9 

Art Unit: 2155 

code Filtering) if the sum of values of said predetermined expressions comprising a 
subject matter category equal or exceed the threshold value assigned to said subject 
matter category (Col. 5 lines 47-64 and Col. 6 lines 29-34 of Russell-Falla). 

27. With respect to Claim 23, Ranum further teaches said threshold values assigned 
to said subject matter categories are variable (Col. 5 lines 47-64 of Russell-Falla). 

28. With respect to Claim 27, Ranum further teaches outputting a report relating to 
the presence of said at least one preselected criterion (In Ranum: Pages 3-4, see 
figures). 

29. With respect to Claim 28, Ranum further teaches wherein said report identifies 
individuals whose use of the computer network included communications which 
matched preselected criterion (In Ranum: Abstract, Page 3, backends and Fig. 1, Page 
6 Events). 

30. With respect to Claim 29, Ranum further teaches wherein said report identifies 
network addresses where communications were received or originated that included 
matched preselected criterion (In Ranum: Abstract, Page 3, backends and Fig. 1). 

31 . With respect to Claim 30, Ranum further teaches outputting a report relating to 
the presence of the preselected criterion, wherein report identifies the number of 
matches in a category (In Ranum: Abstract, Page 3, backends and Fig. 1). 

32. With respect to Claim 31 , Ranum further teaches wherein said report is in a 
graphical format (In Ranum: Pages 3-4 see figures). 
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33. With respect to Claim 32, Ranum further teaches wherein said report provides 
the text of all communications that match said preselected criterion (In Ranum: Abstract, 
Page 3, backends and Fig. 1 , Page 6 Events). 

34. With respect to Claim 33, Ranum further teaches wherein said report is in a 
human readable format (In Ranum: Pages 3-4 see figures). 

35. With respect to Claim 65, Ranum further teaches wherein at least one stored half 
session comprises a plurality of independent parts, and the testing is performed 
individually on each independent part (In Trkca: Col. 12 line 65 - Col. 13 line 49 and 
Col. 6 lines 1-25). 

36. With respect to Claim 66, Ranum further teaches wherein the independent parts 
comprise individual emails (In Russell-Fall: Col. 8 lines 51-60) and (In Trcka: Col. 14 
line 61 - Col. 15 line 9). 

37. With respect to Claim 67, Ranum further teaches wherein the independent parts 
comprise message attachments (In Russell-Fall: Col. 8 lines 51-60) and (In Trcka: Col. 
14 line 61 - Col. 15 line 9). 

38. Claims 9 and 10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Ranum in view of Trcka and Russell-Falla as applied to claim 4 above, and further in 
view of U.S. Patent 5,878,423 by Anderson et al. (Anderson). 

39. With respect to Claim 9, Ranum in view of Trcka and Russell-Falla does not 
explicitly disclose prioritizing the order which regular expressions within a subject matter 
category are tested. 
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Anderson teaches prioritization of the use of keywords with corresponding 
subject matter categories (Col. 11 lines 1-12 and lines 40-46). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Anderson such that the method further 
comprises prioritizing the order which regular expressions within a subject matter 
category are tested. One would be motivated to have this, as it improves searching by 
providing the more important and useful information first (In Anderson: Col. 11 lines 40- 
46). 

40. With respect to Claim 10, Ranum in view of Trcka and Russell-Falla further 
teaches wherein said prioritizing reduces the likelihood of false hits (In Anderson: Col. 
1 1 lines 40-46). 



41. Claims 14, 22, 24, 25 and 26 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Ranum in view of Trcka and Russell-Falla as applied to claim 2 
above, and further in view of U.S. Patent 5,371 ,807 by Register et al. (Register). 

42. With respect to Claim 14, Ranum in view of Trcka and Russell-Falla does not 
explicitly disclose where the presence of the preselected criterion in at least one of said 
categories comprises a match in a plurality of categories. 



Application/Control Number: 09/759,089 Page 12 

Art Unit: 2155 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises where the presence of the preselected criterion in at least one of said 
categories comprises a match in a plurality of categories. One would be motivated to 
have this, as there is need for detecting any specific type of selected content related to 
subject matter categories (In Russell-Falla: Col. 2 lines 24-36). 
43. With respect to Claim 22, Ranum in view of Trcka and Russell-Falla does not 
explicitly disclose wherein the threshold value of at least one subject matter category 
comprises equaling or exceeding the threshold value in a plurality of subject matter 
categories. 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). This may 
occur in a hierarchical fashion (Col. 9 lines 51-63). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises wherein the threshold value of at least one subject matter category 
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comprises equaling or exceeding the threshold value in a plurality of subject matter 
categories. One would be motivated to have this, as there is need for detecting any 
specific type of selected content related to subject matter categories (In Russell-Falla: 
Col. 2 lines 24-36). 

44. With respect to Claim 24, Ranum in view of Trcka and Russell-Falla does not 
explicitly disclose wherein said subject matter categories have a hierarchical 
relationship. 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). The 
categories have a hierarchical relationship (Col. 9 lines 51-63). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises wherein said subject matter categories have a hierarchical relationship. One 
would be motivated to have this, as there is need for detecting any specific type of 
selected content related to subject matter categories (In Russell-Falla: Col. 2 lines 24-. 
36). 

45. With respect to Claim 25, Ranum in view of Trcka and Russell-Falla further 
teaches wherein said hierarchical relationship comprises defining the threshold value for 
at least one subject matter category as the presence of predetermined expressions in a 
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plurality of other subject matter categories (In Register: Col. 5 lines 34-61 and Col. 9 
lines 51-63). 

46. With respect to Claim 26, Ranum in view of Trcka and Russell-Falla further 
teaches said hierarchical relationship comprises defining the threshold value for at least 
one subject matter category as matching or exceeding the threshold value assigned to a 
plurality of other subject matter categories (In Register: Col. 5 lines 34-61 and Col. 9 
lines 51-63). 

47. Claims 34-36, 38, 39, 44, 47-55, 57-59 and 61-64 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Russell-Falla in view of Runam and U.S. Patent 
5,835,722 by Bradshaw et al. (Bradshaw). 

48. With respect to Claim 34, Russell-Falla teaches a method for monitoring and 
maintaining an acceptable use policy for computer network usage (Col. 1 lines 26-34) 
comprising: 

capturing data on a network (Col. 4 line 61 - Col. 5 line 4) wherein the data 
comprises multiple half sessions of TCP/IP communications (It is inherent that any 
network communication data on a network such as the Internet/Web -Col. 4 line 61 - 
Col. 5 line 21 and Col. 1 lines 37-45 - would comprise multiple half sessions of TCP/IP 
communications); 
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removing data content that does not contain language elements (Col. 5 lines 5- 
11 - the examiner considers the act of identifying and analyzing natural language 
elements to be within the scope of the limitation); 

testing the remaining content for the presence of predetermined expressions 
(Col. 5 lines 5-1 1) wherein the predetermined expressions comprise two or more 
categories (Col. 4 lines 45-60 and Col. 9 lines 9-12) each containing predetermined 
expressions (Col. 5 lines 5-35); 

maintaining a sum of values associated with said predetermined expressions 
found within at least one category (Col. 3 line 65 - Col. 4 line 3); 

determining if the remaining data is within a category if the sum of values 
associated with said predetermined expressions within a category meets or exceeds a 
threshold value (Cpl. 5 lines 5-64). 

Russell-Falla does not explicitly disclose the predetermined expressions are 
defined by a user. Bradshaw teaches the use of predetermined expressions to identify 
a category where the predetermined expressions can be defined by a user (Col. 7 lines 
18-38). 

Russell-Falla does not explicitly disclose storing the data when the data is 
determined to be within a category. Ranum teaches the storage of data for purposes of 
logging and auditing when the data is found to have the presence of predetermined 
expressions (Page 1 - Background and Motivation - points 2 and 3; Page 2 - first 
paragraph under Decision Engine and Page 2: 2 nd paragraph under Decision Engine - 
record mechanism logs data to backends. Backends are described on pages 3-4. 
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examples of storing communications based on the presence of the criterion are given 
on pages 5-6 under N-code Filtering). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Russell-Falla and modify it as 
indicated by Ranum and Bradshaw such that the method further comprises wherein the 
predetermined expressions comprise two or more categories each containing 
predetermined expressions defined by a user; and storing the remaining data if the sum 
of values associated with said predetermined expressions within a category meets or 
exceeds a threshold value. One would be motivated to incorporate the teachings of 
Bradshaw as there is need for allowing users to define the expressions related to 
particular subject matter categories (In Bradshaw: Col. 2 lines 34-45 and Col. 7 lines 18- 
38). One would be motivated to incorporate the teachings of Ranum as it is desirable 
by network managers to be able. to log and review particular types of network events 
and communications (In Ranum: see abstract). 

49. With respect to Claim 35, Russell-Falla further teaches the computer network is a 
wide area network (Col. 1 lines 37-45 of Russell-Falla). 

50. With respect to Claim 36, Russell-Fall further teaches wherein the computer 
network is a local area network (In Ranum: Page 2 - Overview of the NFR Architecture; 
Page 5 N-code filtering; and Page 6 Performance - noting that the intended network is 
any suitable network such as those running TCP/IP and Ethernet protocols, which 
would include local area networks). 
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51 . With respect to Claim 38, Russell-Falla further teaches said expressions are 
weighted (Col. 3 lines 55-67 of Russell-Falla). 

52. With respect to Claim 39, Russell-Falla further teaches said expressions are 
weighted with either positive or negative values (Col. 3 line 60 - Col. 4 line 3 of Russell- 
Falla). 

53. With respect to Claim 44, Russell-Falla further teaches said expressions are 
regular expressions (Col. 3 lines 1-6 of Russell-Falla). 

54. With respect to Claim 47, Russell-Falla further teaches said threshold value for a 
category is variable (Col. 5 lines 47-63 of Russell-Falla). 

55. With respect to Claim 48, Russell-Falla further teaches outputting a report 
relating to the presence of predetermined expressions (Col. 6 lines 29-34 of Russell- 
Falla). 

56. With respect to Claim 49, Russell-Falla further teaches said report identifies 
individuals whose use of the computer network included communications which . 
matched predetermined expressions (Col. 6 line 29-34, note the functionality of the 
report in Russell-Falla is tied to a user - Col. 6 lines 15-21 of Russell-Falla) and (In 
Ranum: Abstract, Page 3, backends and Fig. 1, Page 6 Events). 

57. With respect to Claim 50, Russell-Falla further teaches said report identifies 
network addresses where communications were received or originated that included 
matched predetermined expressions (In Ranum: Abstract, Page 3, backends and Fig. 
1). 
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58. With respect to Claim 51 , Russell-Falla further teaches outputting a report 
relating to the presence of predetermined expressions, wherein said report identifies the 
number of matches in a category (In Ranum: Abstract, Page 3, backends and Fig. 1). 

59. With respect to Claim 52, Russell-Falla further teaches wherein said report is in a 
graphical format (In Ranum: Pages 3-4 see figures). 

60. With respect to Claim 53, Russell-Falla further teaches wherein said report 
provides the text of all communications that match said predetermined expressions (In 
Ranum: Abstract, Page 3, backends and Fig. 1, Page 6 Events). 

61 . With respect to Claim 54, Russell-Falla further teaches wherein said report is in a 
human readable format (In Ranum: Pages 3-4 see figures). 

62. With respect to Claim 55, Russell-Falla teaches a method for monitoring and 
maintaining an acceptable use policy for computer network usage (Col. 1 lines 26-34) 
comprising: 

capturing TCP/IP data on a network (Col. 4 line 61 - Col. 5 line 4); . 
removing data content that does not contain language elements (Col, 5 lines 5- 
1 1 - the examiner considers the act of identifying and analyzing natural language 

elements to be within the scope of the limitation); 

defining categories (Col. 4 lines 45-67 - can detect any selected type of content, 
several example subject matter categories are listed) with weighted predetermined 
expressions (Col. 3 lines 36-51 ). 

testing the remaining content for the presence of predetermined expressions 
(Col. 5 lines 5-11); 
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maintaining a sum of values associated with said predetermined expressions 
found within each category (Col. 3 line 65 - Col. 4 line 3); 

determining if the remaining data is within a category if the sum of values 
associated with said predetermined expressions present within a category exceeds a 
threshold value (CoL 5 lines 47-64 and Col. 6 lines 29-34). 

Russell-Falla does not explicitly disclose the predetermined expressions are 
defined by a user. Bradshaw teaches the use of predetermined expressions to identify 
a category where the predetermined expressions can be defined by a user (Col. 7 lines 
18-38). 

Russell-Falla does not explicitly disclose storing the data when the data is 
determined to be within a category. Ranum teaches the storage of data for purposes of 
logging and auditing when the data is found to have the presence of predetermined 
expressions (Page 1 - Background and Motivation - points 2 and 3; Page 2 - first 
paragraph under Decision Engine and Page 2: 2 nd paragraph under Decision Engine - 
record mechanism logs data to backends. Backends are described on pages 3-4. 
examples of storing communications based on the presence of the criterion are given 
on pages 5-6 under N-code Filtering). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Russell-Falla and modify it as 
indicated by Ranum and Bradshaw such that the method further comprises wherein the 
predetermined expressions comprise two or more categories each containing 
predetermined expressions defined by a user; and storing the remaining data if the sum 
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of values associated with said predetermined expressions present within a category 
exceeds a threshold value. One would be motivated to incorporate the teachings of 
Bradshaw as there is need for allowing users to define the expressions related to 
particular subject matter categories (In Bradshaw: Col. 2 lines 34-45 and Col. 7 lines 18- 
38). One would be motivated to incorporate the teachings of Ranum as it is desirable 
by network managers to be able to log and review particular types of network events 
and communications (In Ranum: see abstract). 

63. With respect to Claim 57, Russell-Falla further teaches the threshold value for a 
category is defined as the presence of no predetermined expressions (Col. 5 lines 47- 
64 of Russell-Falla). 

64. With respect to Claim 58, Russell-Falla further teaches the computer network is a 
wide area network (Col. 1 lines 37-45 of Russell-Falla). 

65. With respect to Claim 59, Russell-Fall further teaches wherein the computer 
network is a local area network (In Ranum: Page 2 - Overview of the NFR Architecture; 
Page 5 N-code filtering; and Page 6 Performance - noting that the intended network is 
any suitable network such as those running TCP/IP and Ethernet protocols, which 
would include local area networks). 

66. With respect to Claim 61 , Russell-Falla further teaches outputting a report 
relating to the presence of predetermined expressions whose sum meets or exceed the 
threshold value of a category (Col. 6 lines 29-34). 

67. With respect to Claim 62, Russell-Falla further teaches said report identifies 
individuals whose use of the computer network included communications which 
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contained predetermined expressions whose sum matched or exceeded the threshold 
value of at least one category (Col. 6 line 29-34, note the functionality of the report in 
Russell-Falla is tied to a user - Col. 6 lines 15-21 of Russell-Falla) and (In Ranum: 
Abstract, Page 3, backends and Fig. 1, Page 6 Events), 

68. With respect to Claim 63, Russell-Falla further teaches wherein said report 
identifies network addresses where communications were received or originated that 
included predetermined expressions whose sum matched or exceeded the threshold 
value of at least one category (In Ranum: Abstract, Page 3, backends and Fig. 1). 

69. With respect to Claim 64, Russell-Falla further teaches wherein said report is in a 
graphical format (In Ranum: Pages 3-4 see figures). 



70. Claims 40-43 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Russell-Falla in view of Ranum and Bradshaw as applied to claim 39 above, and further 
in view of Anderson. 

71 . With respect to Claim 40, Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose prioritizing the order in which regular expressions within a subject 
matter category are tested. 

Anderson teaches prioritization of the use of keywords with corresponding 
subject matter categories (Col. 1 1 lines 1-12 and lines 40-46). 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Russell-Falla in view of Ranum 
and Bradshaw and modify it as indicated by Anderson such that the method further 
comprises prioritizing the order which regular expressions within a subject matter 
category are tested. One would be motivated to have this, as it improves searching by 
providing the more important and useful information first (In Anderson: Col. 1 1 lines 40- 
46). 

72. With respect to Claim 41 , Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose wherein the negative valued regular expressions are tested first. 

However, Russell-Falla teaches the processing of regular expressions with both 
negative and positive values for a given subject matter category (Col. 5 lines 16-35). 
Based on the algorithm (Col. 5 line 25), it is mathematically arbitrary as to whether 
negative values are processed before positive values. 

As such, It would have been obvious to one of ordinary skill in the art at the time 
the invention was made to take the method disclosed by Ranum and Trcka and modify 
it as indicated by Russell-Falla such that the method further comprises wherein the 
negative valued regular expressions are tested first. One would be motivated to have 
this, as it is an arbitrary design choice since the overall sum determines the score (In 
Russell-Falla: Col. 5 lines 16-35). 

73. With respect to Claim 42, Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose wherein said negative and positive valued regular expressions are 
separately tested in order of largest value to smallest value. 
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However, Russell-Falla teaches the processing of regular expressions with both 
negative and positive values for a given subject matter category (Col. 5 lines 16-35). 
Based on the algorithm (Col. 5 line 25), it is mathematically arbitrary as to whether the 
negative and positive valued regular expressions are separately tested in order of 
largest value to smallest value. 

As such, It would have been obvious to one of ordinary skill in the art at the time 
the invention was made to take the method disclosed by Ranum and Trcka and modify 
it as indicated by Russell-Falla such that the method further comprises wherein said 
negative and positive valued regular expressions are separately tested in order of 
largest value to smallest value. One would be motivated to have this, as it is an 
arbitrary design choice since the overall sum determines the score (In Russell-Falla: 
Col. 5 lines 16-35). 

74. With respect to Claim 43, Russell-Fall further teaches wherein the order of said 
prioritizing is determined based upon reducing the likelihood of false hits (In Anderson: 
Col. 11 lines 1-12 and lines 40-46). 

75. Claims 45, 46 and 56 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Russell-Falla in view of Ranum and Bradshaw as applied to claim 34 above, and 
further in view of Register. 
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76. With respect to Claim 45, Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose wherein the threshold value for at least one category comprises 
meeting or exceeding the threshold value for a plurality of other categories. 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). This may 
occur in a hierarchical fashion (Col. 9 lines 51-63). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises wherein the threshold value for at least one category comprises meeting or 
exceeding the threshold value for a plurality of other categories. One would be 
motivated to have this, as there is need for detecting any specific type of selected 
content related to subject matter categories (In Russell-Falla: Col. 2 lines 24-36). 

77. With respect to Claim 46, Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose wherein the threshold value of at least one category comprises 
meeting or exceeding the threshold value for at least one other category and not 
meeting or exceeding the threshold value for at least another category. 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). This may 
occur in a hierarchical fashion (Col: 9 lines 51-63). 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises wherein the threshold value of at least one category comprises meeting or 
exceeding the threshold value for at least one other category and not meeting or 
exceeding the threshold value for at least another category. One would be motivated to 
have this, as there is need for detecting any specific type of selected content related to 
subject matter categories (In Russell-Falla: Col. 2 lines 24-36). 

78. With respect to Claim 56, Russell-Falla in view of Ranum and Bradshaw does not 
explicitly disclose wherein said remaining data is stored only if the sum of 
predetermined expressions exceeds the threshold value in a plurality of categories. 

Register teaches a plurality of categories associated with regular expressions, 
where the presence of preselected criterion in at least one of the categories can mean a 
match in a plurality of categories (Col. 5 lines 34-61 and Col. 7 lines 12-24). This may 
occur in a hierarchical fashion (Col. 9 lines 51-63). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by Register such that the method further 
comprises wherein said remaining data is stored only if the sum of predetermined 
expressions exceeds the threshold value in a plurality of categories. One would be 
motivated to have this, as there is need for detecting any specific type of selected 
content related to subject matter categories (In Russell-Falla: Col. 2 lines 24-36). 
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79. Claim 68 is rejected under 35 U.S.C. 103(a) as being unpatentable over Ranum 
in view of Trcka and Russell-Falla as applied to claim 1 above, and further in view of 
U.S. Patent 5,850,388 by Anderson et al. (C.Anderson). 

80. With respect to Claim 68, Ranum in view of Trcka and Russell-Falla does not 
explicitly disclose prior to testing, attempting to identify a protocol by comparing the 
stored half session with known protocol patterns. 

Anderson teaches identifying a protocol by comparing an unknown protocol with 
known protocol patterns (Col. 18 lines 38-62). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to take the method disclosed by Ranum in view of Trcka and 
Russell-Falla and modify it as indicated by C.Anderson such that the method further 
comprises prior to testing, attempting to identify a protocol by comparing the stored half 
session with known protocol patterns. One would be motivated to have this, as it is 
desired for effective analysis and monitoring of network performance (In C.Anderson: 
Col. 3 line 2-1 6 and Col. 4 lines 1-11). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David Lazaro whose telephone number is 571-272- 
3986. The examiner can normally be reached on 8:30-5:00 M-F. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for 
the organization where this application or proceeding is assigned is 571 -273-8300. . 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-21 7-91 97 (toll-free). 





David Lazaro 
March 31 ,2006 



